Academics will never get the data that they want

By Luther Martin — July 12, 2011

Academic researchers in information security would love to have some useful data to work with. Without data, lots of research isn't possible, and there's really not much data available for the entire field of information security.

Lots of researchers would like the government to require businesses to report all sorts of data about information security incidents. When I was at the National Cyber Leap Year meeting a year or two ago, that was their biggest single request.

I certainly hope that the government doesn't require businesses to report this sort of information. As a person who used to run a small business, I might be more sensitive to these issues than some people, but I can easily see this becoming a requirement that's very difficult and expensive for businesses to comply with.

And even if the government could somehow find a way to collect this data in a way that doesn't cost anything at all, its existence of it would be a huge security and privacy problem. Even if it's anonymized.

As I mentioned in a previous post, anonymizing data doesn't really work very well. This means that it would probably be impractical for researchers to have access to a hypothetical database of information about security incidents without giving them way more information than they really need.

So because I doubt that we'll have workable solutions to either of these problems any time soon, I expect that academics will never get the data that they'd like to have.